The immense growth of the Internet has spawned demand for an ever-increasing array of applications and services, many of which are distributed across systems that reside on different networks. In fact, many companies are increasingly relying on cloud computing resources to host and serve applications and services in order to leverage the flexibility, scalability, and ease of deployment offered by cloud-based technologies. While distributed- and cloud-computing environments offer unparalleled reliability and versatility, such environments are more vulnerable to denial-of-service attacks than centralized environments that have fewer components that are exposed to unsecure connections.
Detecting and mitigating the effects of denial-of-service attacks invariably involves monitoring network flow characteristics to identify patterns associated with both illegitimate and legitimate network traffic. Traffic that possesses illegitimate characteristics/behavior can be blocked, while traffic that exhibits legitimate behavior is allowed to progress through the network.
One solution for monitoring network flow patterns involves using an external network analysis sensor or “probe” that connects to a port of a switch or router. The network probe is configured to monitor raw data packets as they traverse the network. More specifically, duplicate versions of sample traffic flows are provided to the probe using a data analysis port (such as a Switched Port ANalyze (“SPAN”) port) located on the network equipment. The probe then analyzes data contained in the sample traffic flows to identify potentially malicious data. While these conventional network probes may be well equipped to identify malicious attacks that have characteristics that are easily gleaned from information explicitly contained in the raw packets themselves, the probes are limited in their ability to protect against attacks caused by traffic whose raw data does not possess conspicuous information contained in the packet. Indeed, many malicious attacks use tactics that are not easily observable in the raw data itself. For example, denial-of-service attacks involve overwhelming a targeted network resource with traffic including packets with data that appears, at least at first glance, legitimate. These types of attacks may require observing certain implicit characteristics of the traffic behavior, which is not typically detectable in the data provided at a SPAN port.
In order to provide a more robust network monitoring solution, some switches and routers include on-board network monitoring capabilities that enable detection of certain malicious network flow patterns. Such on-board processing within the switch (or router) allows for the relatively easy, near real-time observation of certain implicit network traffic information that is not provided by a SPAN copy such as, for example, data indicative of ingress/egress switch interfaces, next-hop route decisions, and source/destination autonomous system (AS) numbers. Network equipment equipped with these capabilities allow for monitoring of both the explicit and implicit clues indicative of a malicious network attack.
Although switches and routers that provide on-board network flow monitoring solutions provide access to more information that can be evaluated to detect a malicious attack, they may still be deficient in many regards. Specifically, on-board flow monitoring involves resource-intensive operations, which burden the on-board processor and memory and ultimately slow the core functionality of the device. Furthermore, during a denial of service attack—a time at which flow monitoring is most critical in the detection and mitigation of the attack—on-board network flow monitoring capabilities tend to be compromised along with other processing functions of the switch.
The presently disclosed systems and methods for monitoring network flow attributes are directed to overcoming one or more of the problems set forth above and/or other problems in the art.